Provenance
PGP
All release artifacts are signed with PGP. Follow these instructions to verify artifacts against their signatures.
-
Download the public key. Save it as
jreleaser.asc
. -
Verify the fingerprint matches the following:
$ gpg --show-keys jreleaser.asc
pub rsa4096 2021-02-10 [SC] [expires: 2031-02-08]
F1D5F6A91C86B0702CD0734BCCC55C5167419ADB
uid Andres Almiray <aalmiray@********.com>
sub rsa4096 2021-02-10 [E] [expires: 2031-02-08]
-
Import the key with
gpg --import jreleaser.asc
. -
Verify the chosen artifact with:
$ gpg --verify jreleaser-early-access.zip.asc jreleaser-early-access.zip
gpg: Signature made Tue Dec 13 06:51:49 2022 CET
gpg: using RSA key CCC55C5167419ADB
gpg: Good signature from "Andres Almiray <aalmiray@********.com>" [ultimate]
SLSA
Starting with v1.4.0
JReleaser provides SLSA provenance for all release artifacts.
Follow these instructions to verify artifacts.
-
Install or build the slsa-verifier binary.
-
Download jreleaser-all-early-access.intoto.jsonl.
-
Download the binary or binary files you’d like to verify.
-
Run the verifier against the binary. For example:
$ slsa-verifier verify-artifact jreleaser-early-access.zip \
--provenance-path jreleaser-all-early-access.intoto.jsonl \
--source-uri github.com/jreleaser/jreleaser
Verified signature against tlog entry index 8865454 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77acceaa92d35076867e961260048db8f9ee7726329e5a14ae3a6cfd678aeacad11
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.4.0 at commit caa516c7c52ca72a352f97e4153334080f8b7f43
PASSED: Verified SLSA provenance